Hi guys,
I am hitting a problem during upgrading/testing of Puppet v3, something
I've missed during my earlier testing, affecting AIX 5.3 only (actually
I've only got AIX5.3/6.1 to play with so I can't be certain it only affects
5.3). I can say that it doesn't appear to affect any of my Solaris
(5.8-5.10) or my HP-UX (11.23).
After upgrading to puppet 3.1.0 on both master & client (where master is
running Redhat Linux) I get the following when trying to use the signed
certificate:
myaix53client[/]# /opt/freeware/bin/puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed: [self signed certificate for
/CN=mymaster.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [self signed certificate
for /CN=mymaster.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [self signed certificate for /CN=mymaster.mydomain.com]
Could not retrieve file metadata for
puppet://mymaster.mydomain.com/plugins: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed: [self
signed certificate for /CN=mymaster.mydomain.com]
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [self signed certificate for /CN=mymaster.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [self signed
certificate for /CN=mymaster.mydomain.com]
I've googled and seen numerous hits in both the Puppet Users list and in
blogs suggesting as a root cause either a time synchronisation problem
(ruled out for me as it's affecting my entire AIX 5.3 fleet) or a problem
with the SSL cert that's being presented by the Puppet Master. Posts
suggest blowing away $ssldir on both master/client ought to fix the second
possibility, but hasn't for me.
Experimentation with openssl s_client shows that I get the same response
from the server on AIX 5.3 as I do on AIX 6.1 (where it works).
Here is an example from the AIX5.3 client -
myaix53client[/]# /opt/freeware/bin/openssl s_client -connect mymaster:8140
-CApath /var/lib/puppet/ssl/certs
depth=1 CN = Puppet CA: mymaster.mydomain.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
CONNECTED(00000004)
---
Certificate chain
0 s:/CN=mymaster.mydomain.com
i:/CN=Puppet CA: mymaster.mydomain.com
1 s:/CN=Puppet CA: mymaster.mydomain.com
i:/CN=Puppet CA: mymaster.mydomain.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICqzCCAhSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAwMS4wLAYDVQQDDCVQdXBw
ZXQgQ0E6IHB1cGducGFwcGwwMDEub3B0dXMuY29tLmF1MB4XDTEyMDgwNjA2MDc1
NFoXDTE3MDgwNjA2MDc1NFowJTEjMCEGA1UEAwwacHVwZ25wYXBwbDAwMS5vcHR1
cy5jb20uYXUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMtJ/p3FmrFTb2Nr
43C2duoizB+8DtHUULjEvgCbg1YCmHemW1mAl3aUjYFbPR4dsEmJh32+IXjZw4Mn
5QeO8H40hJJ2jDj3vyegG/z1HC532WuAV3JEeIw5N6l3z6v4UFkCS29PABzozEKI
7awR7blQOOzt2CQx7bb5khnzwxUnAgMBAAGjgd8wgdwwQgYDVR0RBDswOYIacHVw
Z25wYXBwbDAwMS5vcHR1cy5jb20uYXWCBnB1cHBldIITcHVwcGV0Lm9wdHVzLmNv
bS5hdTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSd0VfbkcEwLB9Y8VnWMZrpjZ0A
RjAOBgNVHQ8BAf8EBAMCBaAwNwYJYIZIAYb4QgENBCoWKFB1cHBldCBSdWJ5L09w
ZW5TU0wgSW50ZXJuYWwgQ2VydGlmaWNhdGUwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAHhsQsX8jfaG51E4aYLOcNO0
ebeSuGY8eglZg903S9PCPPIrpGtfYDBh0YCZpRPxo2Ya3kTU7OnK6mCTslmnLeuS
KQKRv4Fv7VRjaF55PIx8gmiZ3hW68zbVQNb1p3rL0yDOSBYLdUs4KYcQawJQVNog
OBV2mRiyAB04r6APyMjl
-----END CERTIFICATE-----
subject=/CN=mymaster.mydomain.com
issuer=/CN=Puppet CA: mymaster.mydomain.com
---
No client certificate CA names sent
---
SSL handshake has read 1869 bytes and written 418 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
4C5033405A55AEDA43025C1AE1350211811230DCEF6E9F8956492772B7710750
Session-ID-ctx:
Master-Key:
5471D567F94E7EC9AFD96E0D3CEEC26EEB288DCD33246B11FFCF6AD8C8FDA3B1A8CEB47F63881557E4D3F3D3276DC425
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1360555895
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
Variations on this command compared against similar commands from a working
AIX6.1 client show similar output.
I also tried generating the certificate on the master using
https://gist.github.com/ahpook/1182243
mymaster# puppet cert --generate myaix53client.mydomain.com
and then copying to the appropriate directories, and I got the same result.
This leads me to suspect I am encountering a bug in puppet - although I
can't be certain. I can't see any open bug that seems to match.
I note that my AIX 5.3 fleet openssl doesn't support SHA256 - see
http://projects.puppetlabs.com/issues/17295. The patch I submitted there
was only tested on HP-UX, which at the time was the only platform I had
identified the issue on. That said, I can't see how lack of SHA256 could
be the root cause, though, or why would it work fine on my HP-UX, where I
likewise lack SHA256?
So, just wondering if anyone out there can think of anything else I can
try? At worst, this is a showstopper that completely prevents the use of
Puppet on AIX5.3 - which is an old release, I guess, but I suspect lots of
people still use it. At the moment, I can't, at any rate, find a
workaround. At best, it's certainly a showstopper for me. :-)
Kind regards,
Alex Harvey
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-dev?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
